Software gurus: Only developers can defeat mass surveillance

Fowler, Dörnenburg urge devs to stick up for the users

Software developers should not be content with writing code that works, they have a responsibility not to harm their users, say Agile development experts Martin Fowler and Erik Dörnenburg, speaking at the Goto Aarhus conference in Denmark last week.

Fowler was among the signatories of the 2001 Agile Manifesto, part of the movement to promote incremental and collaborative software development rather than setting a specification in stone and then throwing it over to programmers for coding.

Agile has been influential, to the extent that most software projects today claim to adopt it, but Fowler says that his biggest disappointment is that software is still mostly designed by analysts rather than being truly collaborative. A key Agile concept is that all stakeholders participate in the process, including the users.

Creating software that encourages users to do things that aren’t in their interest is not Agile. It is a “dark pattern”, says Fowler – see this website for further explanation. Examples include ecommerce sites that add insurance to your purchase without asking, or printer drivers that refuse to print even when there is ink in the cartridge because the vendor thinks you should buy a new one after a certain number of pages.

“The developer who wrote that code is every bit as responsible as the person who told them to do it. You have a choice. You have a responsibility to ensure that your users are well treated and to reject dark patterns,” says Fowler. “We have a whole profession of people writing software and doing enormous things to change the way we live in the world.”

Do not track

Spending a bit more on ink is one thing, but the more serious problem is the emerging surveillance culture, argue Fowler and Dörnenburg. “What we do online is tracked to an enormous extent, a lot of it by commercial organisations,” says Fowler. Privacy is constantly undermined. “We are trained to think privacy is a special need. The default is everybody can observe everything. Privacy should be the default. The tracking should be something that is out of the norm,” says Dörnenburg.

Most people think this does not matter, either because they have nothing to hide, or because they believe they are not interesting to those who might be observing them. This is a false argument, they argue, because there are people for whom it does matter: “the kind of people that annoy and bother those that are powerful. One example is an investigative journalist,” says Fowler. “Those people are essential to the operation of a free society. If we don’t have investigative journalists rooting out corruption, how do we know how to vote intelligently?”

One of the key issues is that so much data passes through the internet without encryption. “The responsibility is on us as a profession, says Dörnenburg “It is naïve that we created protocols (like email and HTTP) that transmitted everything in plain text. We as technologists have taken the easy way out. Then we blame the users and tell them to install this or that plug-in. We need to make it so easy to use that normal users do not need to do anything special.”

The duo are promoting an open source project called Pixelated which does encrypted email.

Another problem is centralisation, according to the duo. “If you look at the history, first everything was heavily centralised in the mainframe era, then we had a level of decentralisation with client server, and then with the cloud platforms you’re going back to a different kind of centralisation,” ThoughtWorks CTO Rebecca Parsons told me. “When you are looking at a surveillance surface, there are only a small number of places to go. With email, with Salesforce, you’re getting a massive centralisation there.”

Parsons says that “the extent of decentralisation is something that can be considered when architecting a solution to a problem. You can use peer to peer architecture rather than a more centralised architecture.”

The prevailing wisdom is that multi-tenanted cloud platforms offer more cost-effective and reliable solutions than those built on private infrastructure, but centralisation has risks of its own that should be considered.

The choice for developers, says Fowler, is “being responsible over maximising gain. When it comes to the crunch, do we need to be responsible first? Or do we maximise the financial gain and just not care?”

Can developers really avoid "dark patterns" in the software they build, or is that determined by those who commission it, who can always find other developers if need be?

Developers may write the code, but their ability to effect cultural change is limited. Even so, for a software company like ThoughtWorks to express its concerns so publicly shows how widespread fears about privacy erosion and surveillance have become.